Restricting Groove Collaborations Based On Groove Domain Policies

With Groove domain policy settings, an administrator can enforce corporate policies on Groove collaborations. First, we must deploy the Device Management Key to our Groove clients, such that a Groove domain policy becomes enforceable. Two ways there are to configure a managed client:

Adding the Device Management Key, as shown in Figure 1, of a Groove Server 2007 Manager where a Groove account is created makes this Groove account a managed client.

Setting the indicated Account Policy checkbox of the device policy template as shown in Figure 2 will trigger a user prompt during account configuration for allowing Groove to manage the account. A click on YES will result in automatically adding the Device Management Key to the client. Notice with this checkbox set, a Groove account will not be functional without confirming with a YES.

With the Device Management Key deployed, a desktop however needs to be in a lockdown environment to ensure once the key is in place, stays in place.

Next, restricting collaboration based on trust relationships by adding and cross-certifying Groove domain certificates using the interface. Here in Figure 3. the interface is shown for your reference and no cross-certified certificate is included.

Groove Server 2007 Manager is a Certificate Authority which establishes the trust hierarchy in Groove PKI. Groove PKI is a term signifying the PKI automatically deployed within and specific to an associated Groove domain during account configuration process. Since all Groove internal communications are Groove PKI-based, a client in current domain can exchange keys, establish a secure channel, and communicate with only those clients trusting a cross-certified certificate. In other words, a Groove user can send out a workspace invitation to both trusted and non-trusted clients. A non-trusted client however cannot establish a secure channel and consequently will not be able to successfully communicate within Groove with the sender of a workspace invitation and join the associated workspace. This, in essence, prevents a Groove user in current domain from collaborating with a target, however not cross-certified, Groove user in other Groove domain.

Certainly once the settings are save in the default policy templates or customized ones. We will then assign the policy templates to an intended group or account.

Figure 3. Cross-Certified Certificates

Figure 4. Restricting collaborations with only those from certified domains